I hear stories about insecure web servers and sites which people (or bots) break into and execute their own code on the server.

My question is how is that possible? I heard of people putting their own javascript on websites stealing cookies and techniques how to do that. I never heard of actual attacks to execute code. I know mysql injections can be used to steal data and put in javascript code on pages. But i am still having trouble thinking of how the weakness of a site can compromise a server. How is that possible?

The simplest would be a executable upload vulnerability. The set-up scenario would be that a site allows users to upload files to the site, say, images that the users might want to attach to forum posts they create. If there aren't security measures, and the files that the users are allowed to upload live in a web-accessible, executable location, there is the potential for a malicious user to upload something like a *.php or *.asp file instead, with code that will be run when the user navigates to the uploaded file.

The high value attacks are ones that get a root shell on a server. At that point you can run whatever you like.

One step down from that is an attack which uses functionality within a web app to gain a shell, which can be escalated to root. Sometimes that escalation is through uploading an executable to user space which gains privilege through an exploit.

All of these are very similar, and if successful are the result of poor input validation.

While these may not actually put the physical server itself at risk, there are more painful things than losing a server. Like losing a database full of financial processing information, or PII.

Input validation is probably the single most important thing for web application developers to understand.

Even a very simple app, like a script that makes files available for viewing or download can put you at risk if you're passing files with a path to a script to cause the file to be downloaded or viewable, and you don't do any sanitizing on the paths to ensure, for example, that they are relative, and within the DOCUMENT_ROOT, then you could end up with a webserver that would be quite happy to display your /etc/shadow file, or your iptables configuration, or anything else that lives in a file on your server.

You can also think about any shell code exploit. Think that the webserver can have some vulnerability that allows someone to cause a buffer overflow, and using it he can inject some code that will give him access to the shell.

Since the webserver is one application, it might be vulnerable to this kind of attack. For example, in this thread someone complains about being attacked by a shellcode through his webserver.

Here is a great book for you "Hacking: The Next Generation". It illustrates many examples of how attacks are executed.
If the server hosts an App that does not restrict uploaded files types for example, a malicious user can upload a shell (there are many of these) and run it over http. Most of those shells allow privilege escalation. So if the server is not updated/patched the attacker will have root access on the server. I've seen this happening many times, mainly in cheap web-hosting.